Data Breach Cost Numbers Games
Written by Evan SchumanOver the last few weeks, one of the most common questions we’re hearing discussed is “Is PCI really worth it?” These are multi-billion-dollar retail chains asking this heretical question. But there’s a lot more behind the question than it might initially seem.
In a marked contrast to the same kinds of questions two years ago, the intent is not to ignore security. Indeed, many of the chains are already putting in place security procedures that go well beyond current PCI requirements. This issue isn’t one of safety or security. It’s a simple CFO’s ROI balance sheet, contrasting the bureaucratic and paperwork costs of dealing with the very formal PCI procedure with the limited fines and other bad things that will happen if a chain suddenly stops pursuing PCI compliance.
In an odd way, Visa and PCI have been trying to strengthen PCI’s reputation by declaring that no breached retailer was ever found to be PCI compliant. But a campaign designed to strengthen PCI has actually served to undermine it.
One of the original attractions to the program was an implied form of safe harbor. It was an unspoken implication that an official PCI certification would be seen as a proof point that the retailer maintained high security levels, sort of like toothpaste that says accepted by the American Dental Association. (Come to think of it, those guys don’t seem too picky. When was the last time you saw a tube of toothpaste that was not ADA accepted?) Maybe Underwriter’s Laboratory or AAA member is a better example. Maybe the Good Housekeeping Seal of Approval?
But now that PCI and Visa have made a habit of finding some reason to conclude that anyone who has been breached and had been certified as PCI compliant was never really compliant, that declaration doesn’t seem to be worth much.
It’s not politically acceptable to step out of the program, but many retailers are crunching the numbers and seriously thinking about it. The ultimate threat that a non-compliant chain could lose its ability to accept payment cards is ridiculous. Such a move would hurt the card brands more than it would likely hurt the chain. The chains could offer their own card program or cut a deal with any one of the many alternative payment companies. As a practical matter, the threat of taking the cards away from large chains isn’t credible.
A report released this month from Ponemon tried to quantify the cost of breaches today, but its conclusions are rather underwhelming. “The average organizational cost of a data breach increased nearly 2 percent, from $6.65 million in our 2008 study to $6.75 million in 2009,” the report said. “The average cost per compromised record rose only $2, from $202 to $204.”
The problem with these details is that are they based on surveys. First, good security managers never discuss specific details. This fact raises questions about who was actually answering these questions and how close they were to the data. Second, what did those surveyed consider to be part of compromised data costs? Is there any reason to have confidence that all of those surveyed used the identical criteria? If not, those small differences mean nothing.
Even if we assume those numbers are somehow accurate, what practical value does that have? Data breach costs increasing 2 percent could reflect price increases or it might be that executives now know better what needs to be done. Don’t forget that breaches don’t cost anything until they’re discovered. How do you factor in the improved abilities of cyberthieves to hide their actions longer?
-Marc
January 28th, 2010 at 8:46 am
You rightly point out that there is no safe harbor through compliance – you are compliant until you are breached, and then you are not. Retailers I work with are wondering “If we implement rational security practices, who cares about compliance?”, and that is hard to argue with. In essence, PCI compliance has become less of a data security exercise, and more of a fine avoidance strategy.
Add to the ROI the unexpected reality of lots of small retailers having to complete SAQ D (think IRS 1040 long form return without TurboTax) and PCI has a serious problem!
January 28th, 2010 at 1:28 pm
The PCI DSS is meant to help organizations put security practices in place. Implementing security best practices will lead to compliance. Although the PCI DSS is not a flawless approach, it has brought a much higher awareness to the importance of securing data.
“Don’t forget that breaches don’t cost anything until they’re discovered.” This statement is completely false – it can cause a lot of damage to a cardholder, regardless of whether the source of the breach is determined.
January 28th, 2010 at 2:16 pm
Editor’s Note: Hi, Christine. I think you misinterpreted the line you quoted: “Don’t forget that breaches don’t cost anything until they’re discovered.” That statement was in the context of what kind of losses did retailers report to the survey. If the XYZ chain doesn’t know about a breach yet, they obviously can’t spend any money yet on cleaning it up or handling communication or paying for lawyers. They may be suffering damages now, but they don’t know it yet. And if they don’t know about it yet, they can’t discuss it in a survey.
January 29th, 2010 at 11:57 am
I am troubled by the potential implication that non-compliance at compromise is some sort of scam:
“PCI and Visa have made a habit of finding some reason to conclude that anyone who has been breached and had been certified as PCI compliant was never really compliant”).
It is rather dramatic proof that (a) MAINTAINING compliance is harder than ACHIEVING compliance.
PCI compliance is a point-in-time assessment. It’s not like freeze-tag when we were kids. Everything keeps moving both during and after the assessment. Businesses change. Hardware and software are added. Users come and go. Fail ONCE and you’re not compliant. And from the presentations at the community meeting last year, forensics investigators don’t see companies who ONLY failed once. The trend seems to be that compromised entities failed all over the place. They had all the information needed to detect the compromise, but weren’t following their own procedures. Users weren’t deleted. Configuration standards weren’t maintained. Log files weren’t reviewed. The list goes on.
Once an organization achieves PCI compliance it has built a control structure complete with checks and balance. Controls require approvals. Approvals create delays. Delays impact agility. Programmers can no longer rush code into production, they have to complete structured tests and migrate in the weekly change control window. Users can’t “phone a friend” for system access, they have to have the approval of the resource owner. Hardware builds have to comply with baselines before attaching to the network (and again, migrate through change control). And a hundred other examples. All of these measurably slow progress. This subsequently incents otherwise decent, hard-working employees facing tight deadlines and pressured to do more with less to behave perversely. In this case, perveresely is defined circumventing controls hindering them while providing them no perceived benefit that are nevertheless necessary at the macro level for the protection of the organization. Marv Carlson, my Management Controls professor, had a name for this situation that I have always loved – “dysfuncntional consequences of a control system”.
Other misconceptions are also in play here including “compliant = secure” and “PCI is an IT problem”. But those are topics for another day…
January 31st, 2010 at 5:41 pm
Data fraud is a crime that cannot be eliminated. The best we can do is to minimize risk and exposure. I believe the card associations are doing what they can, but data security is a work in progress and still has too many gray areas. Try asking for clarification on something and you will get five different answers, depending on who you ask and what day.
While “safe harbor” sounds good, the key words are “compliant at the time of the breach.” Somehow those two things do not seem to go together; therefore, in my opinion, there is no such thing as safe harbor.
February 4th, 2010 at 8:44 pm
The PCI debate mostly stems from confusion caused by a lot of people that comment on PCI without understanding it. Anyone who looks at the PCI DSS which is on the PCI web site can see that many requirements have to do with business practices, policies, and procedures. Being compliant means you’re actually doing all those things at all times. Getting validated means investigating samples and checking in “Yes” on a self-assessment form or an outside QSA does it.
Companies that only care about validation are getting away with not being compliant by avoiding enforcement. It’s like putting on your seatbelt or butting down your phone when you see a police car. Sure you don’t get busted by the police, but you’re just setting yourself up for a tragedy the rest of the time when you slam into something and look up wondering how much damage occurred. If a company rushes to produce samples for PCI validation week, those samples are misrepresentative, meaning the validation process was abused and the company really isn’t compliant. The rest of the systems aren’t compliant. Policy and procedure adherence really isn’t happening causing further lack of PCI DSS compliance.
I’d like to add on that the now removed Visa safe harbor provision only applied to fines from Visa and it did state that they had to be compliant at time of compromise. With all the confusion between compliance and validation, I can understand why.